If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Sections
- Breakdown of /? (section by section)
- Testing a Port (Troubleshooting)
- Testing a Service Set (Troubleshooting)
- Port Scanning
- Using PortQry to watch for Trojans.
- Monitoring a Service

As you can see you have three options with PortQry... CLI, Interactive and Local Mode. CLI allows you to call a single command and recieve the output... we'll use this while we're scripting. The Interactive Mode allows you to run a series of tests against a single node. Local mode allows you to more closely example the PC which you are running PortQry on.

Not a lot to explain here... you could really look this over yourself by running the command, but this way I ensure that you've read it over first... I would say note the -q option, however I've had varied success with it... otherwise it would be the ultimate scripting tool.

Code:

Interactive Mode:
Used as an alternative to command line mode
portqry -i [-options]
For help with Interactive mode options:
- run portqry.exe
- then type 'help' &lt;enter&gt;
example:
portqry -i -n server1 -e 135 -p both

Interactive mode allows for the same functionality as CLI mode, however it drops you into a PortQry prompt to execute the commands.

Local mode is very nice... especially on it's own.. it'll tell you the mapping of processes to listening/established connections. Think of this as a mixed netstat/fport with a bit more details. The monitoring service is also provided here which is a nice function.

Now.... on with the tutorial.

Testing a Port

Testing a port is very simple, but we might as we cover the basics rather than jump into advanced stuff and leave people floating behind. This will be done using the CLI.... here's an example of how you do it.

As you can see this is a fairly basic example, it's actually included in the help, however now you can see the output. It resolves the address (which fails in this case...we could bypass this by simply giving the no resolve option (-nr) ). We are told the service is smtp, that it's listening and the banner is returned. Nothing overly intense, just a very simple test of a port to see if a service is running or not. We'll demonstrate a complete port scan (or partial port scan) in the upcoming sections. However, first I'd like to show you something special that you can do while you are in Interactive mode.

Testing a Service Set

Something that you can do is test a complete service set. Perhaps you want to test the functionality of a mail server... You don't want to run the above command three times, you could use a port scan... but PortQry allows for you to perform certain service checks (as long as they're using the standard port numbers) while in Interactive mode.

Let's take a quick look at interactive mode to understand what we can and can't do.

As you can see there are shortcuts that will send preconfigured queries based on the ports used by different services. We'll use their example and take a look at the output of running the q mail command.

As you can see each of the ports displays either a listening or not listening state, the service name and the banner (if the port is listening). Let's take a quick look at the output from ippl (let's us see basic connection attempts to our debian node)..

Note the lines in italics... to ensure that it wasn't just a lost packet that lead to the assumption that the port is not listening, PortQry will send three queries to the port..

I have followed the tcp stream in ethereal (a screenshot is available @ http://www.aoaddicts.net/htregz/portqry/ethereal1.jpg) and the software simply sends an SYN packet to the port in question, if there's no reponse received then the packet is sent two more times, if a response is received, then the software will return a RST, ACK.

These are the bare bones of the software functionality... this was more to let you see the output and give you a bit of an understanding of what is happening underneath the software. Now we'll take a look at running a portscan from the software. Again a basic, but we'll call it level 2 for the hell of it.

Port Scanning

We'll run the port scans from the CLI and again this is a fairly simple process.

As you can see we told the software to scan our debian node, ports 1 - 1024 and to not resolve the IP, we're also dumping a log file. I could have specified if I wanted TCP, UDP or BOTH using the -p option, or I could have specified a source port (-sp), however I didn't feel the need to use either of those to make an example of the port scan options. You can see that ports are identified as listening or not listening and when possible the service is named (echo, discard, systate, daytime).

In this following section, you can see that you will also obtain the banners when available

That's basically all there is to a port scan.... Nothing advanced so far, just basic functionality of the software... consider this a walk-through... Now let's see how we can use PortQry to check for Trojans, RATs, or any PhoneHome software that may be on our system.

Using PortQry to watch for Trojans.

In order to demonstrate this we'll use PortQry in local mode. A complete log of the program being executed on my PC can be found @ http://www.aoaddicts.net/htregz/portqry/local.txt. This can be useful to track down exactly which application has an established connection. Let's take a look at some of the output in the file and then examine how this can help us trackdown any nasty malware that's opening/using our ports.

Let's look at how it helps me breakdown IP communication to my PC

First I'm giving a completely statistical breakdown of protocols and states

As you can see I'm connected to a large number of hosts for the file that I'm downloading through Bit Torrent... but if I saw a weird IP showing up that I didn't know, I could simply check this list and see if it was someone that was connecting because of my current torrent downloads. The process is identified as is the process id and then all the connections and their current states.

Let's look at what this will do for us with services as well. We'll use one of the running copies of svchost and look at how it helps us break it down.

As you can see we get the Name and Type of each service... so we can see which services are running themselves inside svchost. TermService also opens up a port (3389), we also see that it is listening... all in one nice neat chart.

Now let's go on to malware detection. I'm going to use netcat in this case to open the ports for testing purposes... but I think you already know where this is going. You can view the logfile with my 'malware' running @ http://www.aoaddicts.net/htregz/port...al-malware.txt

As you can easily see... an application that I was previously unaware of has opened a port on my PC and is listening for connections.

This is one of the best features of PortQry in my opinion... This could be handy if installed on each machine on a domain in conjunction with pstools (or in a script) to check the current port activity on end-user machines.

Let's take a look now at the last real feature of PortQry before we move on to some of the things that we can do with it.

Monitoring a Port/Service

We can monitor local ports (or services attached to those ports) quite simply using portqry.

What I did was tell portqry to monitor port 25 on my system and keep an eye on it's status (checking every 2 seconds). When I started the process, port 25 was closed.. I then proceeded to open netcat listening on port 25. The first group of italics was created as soon as it saw that the port was now listening. The second group of italics shows that the port was closed (I killed netcat) and that there's now nothing listening. In essence that's all there is to port monitoring...

There's not a lot here... just an introduction for those of you that haven't used it before.... I've got a few uses for this that I'm going to use to kill some time at work... I'm going to create a VBS Script to monitor the services on a machine and email me when they go down (perhaps SMS)... I'm also going to create a python script to parse the log files and leave only open ports... Perhaps I'll do it with VBS as well.... If I can get -q to work, I'll also create some scripts on that... I'm also working on one troubleshooting script that will run a little bit of everything and return all the results formatted.... I'm turn those all into an Advanced Tutorial on PortQry.... for now here's the basics..

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".